Professional Documents
Culture Documents
3.1 Scope
The scope of this section is to establish the Risk Management process for Cyber Security
on board the vessel.
The level of cyber risk will reflect the circumstances of the Ship (its operation and trade),
the IT and OT systems used, and the information and/or data stored. The maritime
industry possesses a range of characteristics which affect its vulnerability to cyber
incidents:
The cyber controls already implemented by the company and onboard its ships.
Multiple stakeholders are often involved in the operation and chartering of a ship
potentially resulting in lack of accountability for the IT infrastructure.
The ship being online and how it interfaces with other parts of the global supply
chain.
Ship equipment being remotely monitored eg. by the producers.
Business‐critical, data sensitive and commercially sensitive information shared with
shore‐based service providers.
The availability and use of computer‐controlled critical systems for the ship’s safety
and for environmental protection.
The confidentiality, integrity and availability (CIA) model provides a framework for
assessing the impact of:
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 2 of 10
Low The loss of confidentiality, integrity, A limited adverse effect means that a security breach
or availability could be expected to might: (i) cause a degradation in ship operation to an
have a limited adverse effect on extent and duration that the organization is able to
company and ship, organizational perform its primary functions, but the effectiveness of the
assets, or functions is noticeably reduced; (ii) result in minor
individuals damage to organizational assets; (iii) result in minor
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 3 of 10
financial loss;
or (iv) result in minor harm to individuals.
Moderate The loss of confidentiality, integrity, A substantial adverse effect means that a security breach
or availability could be expected to might: (i) cause a significant degradation in ship operation
have a substantial adverse effect on to an extent and duration that the organization is able to
company and ship, company and perform its primary functions, but the effectiveness of the
ship assets, or individuals functions is significantly reduced; (ii) result in significant
damage to organizational assets; (iii) result in significant
financial loss; or (iv) result in significant harm to
individuals that does not involve loss of life or serious life
threatening injuries.
High The loss of confidentiality, integrity, A severe or catastrophic adverse effect means that a
or availability could be expected to security breach might: (i) cause a severe degradation in or
have a severe or catastrophic loss of ship operation to an extent and duration that the
adverse effect on organization is not able to perform one or more of its
company and ship operations, primary functions; (ii) result in major damage to
company and ship assets, or organizational assets; (iii) result in major financial loss; or
individuals. (iv) result in severe or catastrophic harm to individuals
involving loss of life or serious life‐threatening injuries.
The risk assessment process starts by assessing the systems on board. Risk to IT and OT
systems may include:
Deliberate and unauthorized breaches
Unintentional or accidental breaches
Inadequate system integrity, such as firewalls and/or virus protection.
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 4 of 10
During initial assessment of Cyber Risk on board as vessel, the Company shall complete
a Ship Cyber Security Assessment (SCSA) [Appendix ‐ 4] to map the robustness of
systems on board and to determine measures to handle the current level of cyber
threats.
A Ship Cyber Security Assessment (SCSA) for the vessel shall include:
The procedures and service providers of onboard equipment and systems shall be
referred to understand the technical and procedural controls to address cyber security.
Further, any identified cyber vulnerability in the factory standard configuration of a
critical system or component should be disclosed to facilitate better protection of the
equipment in the future.
The Ship Cyber Security Plan and the Ship Cyber Security Assessment (SCSA) shall be
reviewed Annually by the Master/SCSO, to identify any gaps and enhance cyber
security protection measures.
Recordkeeping:
Where felt necessary, Company may complement their own risk assessment by third‐
party risk assessments to drill deeper, and identify the risks and the gaps.
Where it is felt that a threat may exist to the Cyber Security of the vessel while doing an
activity which is not already covered by the Ship Cyber Security Assessment (SCSA), the
Master/SCSO shall initiate risk assessment case by case and seek approval from the
Company. Such scenarios may include:
Such risk assessments shall be completed using the risk assessment templates provided
on the Company database and sent to DPA for review.
Some IT and OT systems are remotely accessible and may operate with a continuous
internet connection for remote monitoring, data collection, maintenance functions,
safety and security. These systems can be “third‐party systems”, whereby the contractor
monitors and maintains the systems from a remote access. These systems could include
both two‐way data flow and upload only. Systems and work stations with remote
control, access or configuration functions could, for example, be:
Bridge and engine room computers and work stations on the ship’s administrative
network.
Cargo such as containers with reefer temperature control systems or specialized
cargo that are tracked remotely. (Food Containers)
Stability decision support systems.
Hull stress monitoring systems.
Navigational systems including Electronic Navigation Chart (ENC) Voyage Data
Recorder (VDR), dynamic positioning (DP).
Offshore Cargo handling, engine, and cargo management systems.
Safety and security networks, such as CCTV (closed circuit television).
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 7 of 10
The extent and nature of connectivity of equipment should be known and documented
as part of the risk assessment by the vessel.
3.6.3 Risk from allowing use of personal and portable devices (BYOD)
It is recognized that personnel may be allowed to bring their own devices (BYOD) on
board to access the ships’ system or network. Although this may be both beneficial and
economical for ships, because these devices may be unmanaged, it significantly
increases the possibility of vulnerabilities being exposed. The use of such devices shall
be authorized and controlled by the Master / Ship Cyber Security Officer. Due
consideration shall be given to segregate such devices from ship’s network to avoid any
threat to ship’s IT & OT system vulnerable to cyber security threat.
Change of Management.
Installation of new IT or OT systems or Removal of any IT or OT systems
Software maintenance or restoration and patch management.
Use of devices brought by 3rd party to make changes/upgrade to IT or OT systems.
Anti‐virus and malware installation or update.
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 8 of 10
In general, following points shall be taken into consideration for any Management of
Change (MOC) request:
Scope ‐ Organizational, Operational, Engineering and/or Software changes.
Level of change – Emergency, Temporary, Permanent changes.
Levels of Authority for approval of MOC – Master, Superintendent, Group Head,
Director, MOC Committee.
hardware or Or Higher
softwares
Structural Changes Master / TM or Equivalent TM or TM or
Super Equivalent Equivalent
Or Higher
Change in Manning Master / TM or Equivalent TM or TM or
Level Super Equivalent Equivalent
Or Higher
TM – Technical Manager Figure 2 – Matrix for Level for proposal and approval
The proposal and approval process of MOC shall follow Company separation of duty
principles to avoid conflict of interest. Safety management implementation shall be
reviewed periodically (annually) with respect to proposed cyber security changes and
updates.